[00:10.800 --> 00:11.980]  There we go.
[00:12.160 --> 00:14.480]  All right, welcome back everybody.
[00:14.480 --> 00:18.260]  We are here with another of our great DEF CON speakers.
[00:18.260 --> 00:20.420]  We have Patrick Kiley here,
[00:20.420 --> 00:23.660]  and you can check out his presentation on YouTube
[00:24.360 --> 00:26.160]  where he talked about reverse engineering
[00:26.160 --> 00:30.280]  the Tesla battery management system for more power.
[00:30.280 --> 00:32.160]  Welcome Patrick, how are you doing today?
[00:32.560 --> 00:33.760]  I'm great, how are you guys?
[00:33.760 --> 00:35.440]  Doing all right.
[00:35.660 --> 00:36.400]  Pretty good.
[00:36.400 --> 00:38.560]  So can you just kind of give us a little bit
[00:38.560 --> 00:41.200]  of an overview of who you are?
[00:41.920 --> 00:45.280]  Let people hear a little bit about your presentation
[00:45.280 --> 00:46.720]  just in case they haven't seen it
[00:46.720 --> 00:49.320]  or kind of give a little bit of an overview recap.
[00:50.140 --> 00:53.220]  Sure, so my name is Patrick Kiley.
[00:53.220 --> 00:56.080]  I'm a security consultant for Rapid7,
[00:56.080 --> 00:57.980]  part of the penetration testing team.
[00:58.240 --> 01:01.020]  And I got interested in this project
[01:01.600 --> 01:04.480]  back when I just started looking at how the Tesla
[01:04.480 --> 01:08.180]  kind of worked inside the Model S specifically.
[01:08.180 --> 01:10.160]  I'd seen how some people had hacked them.
[01:10.520 --> 01:12.680]  And once I got a chance to peek under the hood,
[01:12.680 --> 01:14.120]  I just wanted to learn more and more.
[01:14.120 --> 01:17.800]  I was already into car hacking and learning more about this.
[01:17.800 --> 01:20.580]  And once I realized that there was an upgrade
[01:20.580 --> 01:23.500]  that this car had that nobody had really researched
[01:23.500 --> 01:26.960]  and actually published information about,
[01:26.960 --> 01:28.440]  it kind of gave me a path forward.
[01:28.440 --> 01:29.500]  So I wanted to see like, okay,
[01:29.500 --> 01:34.080]  how did Tesla actually make this car capable of ludicrous?
[01:34.080 --> 01:36.080]  And it sent me down a path
[01:36.080 --> 01:39.040]  that was probably the most complicated project
[01:39.040 --> 01:40.440]  I've ever worked on.
[01:40.940 --> 01:42.160]  That's awesome.
[01:42.320 --> 01:44.240]  And I believe this is your first time
[01:44.240 --> 01:47.160]  being a main track speaker for DEF CON.
[01:47.160 --> 01:47.800]  Is that right?
[01:47.800 --> 01:48.900]  That's correct, yes.
[01:48.900 --> 01:49.720]  All right.
[01:49.720 --> 01:52.320]  Well, for anyone that is familiar with DEF CON,
[01:52.320 --> 01:53.860]  we have a tradition that you should be
[01:53.860 --> 01:54.980]  very familiar with by now.
[01:54.980 --> 01:56.360]  It's called Shot the New.
[01:56.720 --> 02:00.480]  New speakers are welcomed into the DEF CON speaker collective
[02:00.480 --> 02:03.620]  with a shot of a drink of their choice.
[02:04.980 --> 02:07.000]  It's to bring them into the community,
[02:07.000 --> 02:08.540]  celebrate their joining,
[02:08.540 --> 02:11.240]  the people that are giving back to the community knowledge.
[02:11.620 --> 02:13.060]  So thank you.
[02:13.060 --> 02:14.000]  Here's to you.
[02:14.000 --> 02:14.660]  Bottoms up.
[02:14.660 --> 02:15.800]  Cheers, congrats.
[02:16.360 --> 02:17.360]  Thank you.
[02:21.020 --> 02:22.460]  That's a mouthful.
[02:23.840 --> 02:24.300]  Okay.
[02:24.660 --> 02:25.540]  All right.
[02:25.540 --> 02:25.900]  Good.
[02:25.900 --> 02:28.420]  Loosen you up before the questions start getting serious.
[02:29.560 --> 02:30.180]  Okay.
[02:30.180 --> 02:32.520]  So first off, like I was blown away
[02:32.520 --> 02:35.760]  by the amount of different
[02:36.720 --> 02:39.260]  like techniques and skill sets
[02:39.260 --> 02:41.440]  that you cruised through in your talk.
[02:41.440 --> 02:45.160]  You had hardware reversing, hardware debugging,
[02:45.160 --> 02:49.420]  assembly reversing, decompiling, compiled Python,
[02:49.420 --> 02:54.520]  diagnosing obscure third-party issues, binary extraction,
[02:54.520 --> 02:57.260]  just like a crazy amount of things.
[02:57.840 --> 03:00.080]  Like, how did you go about like piecing
[03:00.080 --> 03:00.940]  all these things together?
[03:00.940 --> 03:02.420]  Like, how did you find your next steps
[03:02.980 --> 03:06.000]  to go through everything?
[03:06.380 --> 03:07.560]  Yeah, so piece by piece.
[03:07.560 --> 03:10.640]  I already had like the mechanical skills.
[03:10.640 --> 03:11.940]  So, you know, in the past,
[03:11.940 --> 03:15.640]  I've had like a Mustang that I've either replaced
[03:15.640 --> 03:18.040]  the heads on or put a supercharger on,
[03:18.040 --> 03:20.020]  or, you know, things along those lines,
[03:20.020 --> 03:21.440]  replaced exhaust systems on.
[03:21.440 --> 03:22.980]  So I had the mechanical knowledge already.
[03:22.980 --> 03:26.360]  I've been doing that for longer than I care to admit.
[03:26.800 --> 03:28.540]  I think even when I was a teenager,
[03:28.540 --> 03:30.360]  I was tinkering around with automobiles
[03:30.360 --> 03:34.000]  and taking them apart, taking carburetors apart.
[03:34.000 --> 03:36.540]  So complex, small items like that.
[03:37.080 --> 03:39.960]  And then just trying to take things apart
[03:39.960 --> 03:41.380]  and figure out how they work
[03:41.380 --> 03:43.260]  has been something I've been doing since I was a child.
[03:43.260 --> 03:44.640]  My parents told me about how the time
[03:44.640 --> 03:46.220]  I locked them out of the bathroom
[03:46.220 --> 03:49.280]  and then just proceeded to disassemble the toilet.
[03:52.020 --> 03:53.320]  And I don't remember that,
[03:53.320 --> 03:56.060]  but they remind me of it on pretty much every occasion
[03:56.060 --> 03:58.240]  when I talk about something I've been working on.
[03:58.240 --> 04:00.340]  So there's that.
[04:00.340 --> 04:03.360]  So really, once I started getting into it,
[04:03.360 --> 04:06.800]  I already had the reverse engineering skills
[04:06.800 --> 04:08.240]  from just doing some other stuff
[04:08.240 --> 04:11.200]  and had the CAN bus skills.
[04:11.200 --> 04:14.260]  If you look at some of the previous presentations I've done,
[04:14.260 --> 04:16.840]  I've been poking around CAN bus for some time.
[04:17.620 --> 04:20.320]  So having the DBC files,
[04:20.320 --> 04:23.720]  it was really trivial to just diagnose
[04:24.380 --> 04:26.900]  the stuff going on within the CAN bus.
[04:26.960 --> 04:30.020]  From there, it was just, okay,
[04:30.020 --> 04:31.360]  how do I do these other things?
[04:31.360 --> 04:34.180]  I know that CAN has this protocol
[04:34.180 --> 04:39.000]  that sits on top of the thing itself
[04:39.000 --> 04:41.160]  for running diagnosis called ODX.
[04:41.160 --> 04:43.680]  So I found those, or called UDS.
[04:43.680 --> 04:47.980]  I found those ODX files and worked with a car fucker
[04:47.980 --> 04:51.260]  who helped show me how to use them.
[04:51.260 --> 04:54.060]  He's one of the main guys for the car hacking village.
[04:54.260 --> 04:56.320]  He showed me how to actually import those
[04:56.320 --> 04:58.620]  into Vehicle Spy and play around with them.
[04:59.420 --> 05:01.940]  Helped me figure out some of the security access stuff.
[05:01.940 --> 05:04.260]  I'd already seen some of that from Greg Smith's work,
[05:04.260 --> 05:07.200]  where he figured out how to pop airbags on cars.
[05:07.320 --> 05:09.140]  So I knew about security access,
[05:09.140 --> 05:10.980]  I just didn't understand the algorithm.
[05:11.400 --> 05:15.060]  But Tesla's algorithm, fortunately for this vehicle,
[05:15.060 --> 05:16.360]  was incredibly simple.
[05:16.360 --> 05:17.640]  It's a static seed and key.
[05:17.640 --> 05:19.740]  There's no transform required.
[05:19.740 --> 05:21.560]  It's like you request the seed
[05:21.560 --> 05:24.960]  and you reply with a fixed reply and boom, you're in.
[05:25.620 --> 05:27.260]  So that made that part easy.
[05:27.260 --> 05:30.140]  And then the rest of it was just piece by piece,
[05:30.140 --> 05:31.740]  digging through the Python code,
[05:31.740 --> 05:34.060]  and then building a test bench,
[05:34.060 --> 05:35.960]  which for any reverse engineering project
[05:35.960 --> 05:38.340]  when you're dealing with a very expensive piece of hardware,
[05:38.340 --> 05:41.800]  try and replicate it on a bench because that was invaluable.
[05:41.800 --> 05:44.220]  I never would have attempted half the stuff I did
[05:44.220 --> 05:46.020]  if I hadn't proofed it out
[05:46.020 --> 05:48.860]  using a much cheaper variant of it
[05:48.860 --> 05:51.540]  that I just wired together and figured out how to work.
[05:52.600 --> 05:54.800]  There was one jump in particular
[05:55.380 --> 05:59.220]  that it was right after you had your Tesla towed home,
[05:59.220 --> 06:02.680]  not figuring out what those particular,
[06:02.680 --> 06:04.500]  like what was going on with there.
[06:04.660 --> 06:08.040]  Like, do you remember like what was the final thing
[06:08.040 --> 06:09.540]  that got you past that hump?
[06:10.680 --> 06:12.620]  Oh, I remember it really well.
[06:12.620 --> 06:14.900]  I imagine that there was some stress involved there.
[06:14.900 --> 06:15.660]  So, yeah.
[06:15.660 --> 06:18.860]  So, I mean, I was into day two of trying to...
[06:19.900 --> 06:20.560]  Oh.
[06:22.220 --> 06:24.020]  Having a little video loss,
[06:24.020 --> 06:27.000]  might be some Wi-Fi interference or something.
[06:27.400 --> 06:30.100]  I said, no, I'm not here for the weekend.
[06:30.100 --> 06:31.560]  I'm over in Irvine.
[06:31.660 --> 06:33.000]  We're here in Rancho Cucamonga.
[06:33.000 --> 06:34.040]  I'm not coming here.
[06:34.360 --> 06:35.520]  You can come on Monday.
[06:35.520 --> 06:38.820]  I'm like, no, I'm gonna bail out
[06:38.820 --> 06:40.120]  and figure the rest of this out at home.
[06:40.120 --> 06:41.280]  So, I only needed your garage
[06:41.280 --> 06:43.660]  to drop the battery and do that stuff.
[06:44.320 --> 06:45.660]  If I have to come back for that,
[06:45.660 --> 06:49.200]  I'm really in a SOL type situation.
[06:49.200 --> 06:52.400]  So, stressing out that for a day and a half,
[06:52.400 --> 06:54.280]  I just started capturing a bunch of logs.
[06:54.280 --> 06:57.360]  So, just from past experience,
[06:57.360 --> 06:59.460]  I was like, maybe the logs are telling me something.
[06:59.460 --> 07:01.080]  And the logs weren't great,
[07:01.080 --> 07:04.100]  but they did mention this one file
[07:04.620 --> 07:06.920]  and it was a firmware.rc.
[07:06.920 --> 07:08.480]  It mentioned that a couple of times.
[07:08.480 --> 07:10.360]  It kind of just had that around the point
[07:10.360 --> 07:12.320]  where it said error and I could see that it failed.
[07:12.320 --> 07:14.540]  So, basically, I time stamped,
[07:14.540 --> 07:17.380]  okay, when the car said, you know, fuck you,
[07:17.380 --> 07:19.620]  I'm not actually gonna upgrade
[07:19.620 --> 07:21.500]  or let you redeploy the software.
[07:21.500 --> 07:23.620]  I kind of noted where that time was
[07:23.620 --> 07:24.880]  and looked right there in the logs
[07:24.880 --> 07:26.680]  and saw an error about that.
[07:26.920 --> 07:28.320]  And then I just did some searching.
[07:28.320 --> 07:30.160]  It turns out the Tencent guys,
[07:30.160 --> 07:33.240]  when they did their Tesla gateway reversing,
[07:33.240 --> 07:34.220]  they mentioned that file.
[07:34.220 --> 07:36.380]  They mentioned how that file was loaded into memory.
[07:36.780 --> 07:38.320]  I'm like, I've never seen that file before.
[07:38.320 --> 07:39.360]  I've seen it mentioned, you know,
[07:39.360 --> 07:40.640]  I searched through all my stuff,
[07:40.640 --> 07:42.880]  found a couple references to it.
[07:42.880 --> 07:44.880]  And then I just like, well, let's just go to the gateway
[07:44.880 --> 07:47.120]  and see if it'll give it to me.
[07:47.120 --> 07:48.500]  And just to give you a little background,
[07:48.500 --> 07:50.720]  this is not while I have the car.
[07:51.940 --> 07:53.280]  I had already spent the two days.
[07:53.280 --> 07:54.560]  I was already flustered.
[07:54.720 --> 07:57.300]  I had to buy a last minute ticket home, flew home,
[07:57.300 --> 07:59.300]  and I was messing around on my bench.
[07:59.360 --> 08:01.880]  So I was like, I went to my bench version
[08:01.880 --> 08:04.060]  that had a gateway and said, give me firmware.rc.
[08:04.060 --> 08:05.060]  It gave it to me.
[08:05.060 --> 08:06.380]  I'm like, cool.
[08:06.560 --> 08:08.200]  Okay, you've got this BMS error.
[08:08.200 --> 08:10.060]  I've already replicated that.
[08:11.200 --> 08:12.620]  Looked at the values in it.
[08:12.620 --> 08:15.180]  And I actually have a copy of the map here,
[08:15.180 --> 08:17.380]  but there's no real way to share it,
[08:17.380 --> 08:21.800]  but there's basically a tab separated value file.
[08:21.860 --> 08:24.220]  And within that file, it tells you the firmware
[08:24.220 --> 08:27.780]  that that particular battery pack ID needs.
[08:27.800 --> 08:31.020]  And it has a little CRC code.
[08:31.020 --> 08:34.120]  That CRC code needs to be in that firmware.rc file.
[08:34.120 --> 08:36.840]  And once that was updated with the correct CRC code
[08:36.840 --> 08:40.960]  and the BMS I knew was firmware version of firmware,
[08:40.960 --> 08:43.120]  I could also see that CRC code being broadcast
[08:43.120 --> 08:44.760]  by the BMS again.
[08:45.120 --> 08:46.180]  I did that.
[08:46.180 --> 08:48.760]  And then I was like, okay, well, there's this final CRC file.
[08:48.760 --> 08:50.220]  How do I figure that out?
[08:50.740 --> 08:52.960]  I asked some people that I knew.
[08:52.960 --> 08:56.340]  It's like, hey, I don't know a ton about CRC 32s,
[08:57.040 --> 08:58.380]  but here's what I have.
[08:58.380 --> 09:02.000]  And here's the file itself with the CRC value.
[09:02.000 --> 09:04.440]  And then someone said, yo, it's a jam CRC.
[09:04.440 --> 09:05.240]  Here's a file.
[09:05.240 --> 09:08.300]  Here's a website you can go to to recreate it.
[09:08.300 --> 09:12.260]  So I recreated the last CRC line,
[09:12.260 --> 09:13.580]  uploaded it back to the gateway,
[09:13.580 --> 09:15.400]  rebooted the gateway, and the error cleared.
[09:15.400 --> 09:17.460]  So I'm like, good, I've got a path forward.
[09:17.460 --> 09:21.260]  I can't wait for the car to actually try all this.
[09:21.260 --> 09:24.800]  And the car was basically being an asshole as well
[09:24.800 --> 09:27.140]  because the battery wasn't engaging.
[09:27.140 --> 09:28.880]  It was just dealing with 12 volts.
[09:29.080 --> 09:30.680]  So a lot of the components,
[09:30.680 --> 09:32.640]  it would just basically shut down after a little while.
[09:32.640 --> 09:33.620]  So I basically had to make sure
[09:33.620 --> 09:36.200]  it had a good battery maintain on it.
[09:36.360 --> 09:38.180]  So it sat there for a few minutes
[09:38.180 --> 09:41.180]  to make sure that the 12 volts had enough juice.
[09:41.180 --> 09:42.980]  And then I tried to get the gateway
[09:42.980 --> 09:44.380]  to go through its process.
[09:44.380 --> 09:46.100]  And as soon as that car woke up
[09:46.100 --> 09:48.320]  and I heard the clicks of the contactors in the rear,
[09:48.320 --> 09:51.480]  it was like, hallelujah, I figured it out.
[09:52.920 --> 09:55.780]  There was one other thing that you said you'd missed
[09:55.780 --> 09:58.380]  that you would only say over drinks.
[09:58.380 --> 10:00.120]  We did just have a drink.
[10:00.240 --> 10:01.260]  Can you tell us?
[10:01.260 --> 10:02.220]  No, okay.
[10:02.400 --> 10:05.080]  It was basically me messing around with the car
[10:05.080 --> 10:09.180]  and putting on a feature that it didn't really need to have
[10:09.180 --> 10:10.420]  that was causing the error.
[10:10.420 --> 10:12.740]  It's just, you know, different times
[10:12.740 --> 10:15.340]  I was screwing around with something I shouldn't have been.
[10:15.460 --> 10:18.200]  So it was my own fault is really the crux
[10:18.200 --> 10:19.640]  of what I want to say there.
[10:19.720 --> 10:22.260]  Fair, so it was to catch you in person over drinks.
[10:22.440 --> 10:24.400]  Like, I tried to slip that in,
[10:24.870 --> 10:26.280]  didn't expect it to really work.
[10:26.280 --> 10:27.400]  That was pretty sly.
[10:28.780 --> 10:29.900]  Nice try, Paisley.
[10:30.640 --> 10:31.280]  Yep.
[10:32.900 --> 10:34.440]  Go ahead, go ahead.
[10:34.560 --> 10:36.600]  Got one question coming in for you
[10:37.110 --> 10:39.700]  that you would have had to pay Tesla about $5,000
[10:39.700 --> 10:41.700]  to make this transition.
[10:41.700 --> 10:44.800]  What was the approximate cost for you to do it yourself?
[10:47.920 --> 10:49.480]  Counting the towing or not?
[10:49.480 --> 10:50.680]  Let's say not,
[10:50.680 --> 10:53.520]  because maybe somebody will learn from your lesson.
[10:53.800 --> 10:59.920]  So the fuse itself,
[10:59.920 --> 11:03.480]  where I found on the used market for about 350 bucks,
[11:03.480 --> 11:05.980]  I found the contactors for about 200.
[11:06.280 --> 11:07.820]  The rest of that was just basically
[11:07.820 --> 11:10.000]  my time and effort and labor.
[11:10.480 --> 11:13.400]  So just basically meaning my labor.
[11:14.860 --> 11:17.380]  The rest of the stuff didn't really cost me anything
[11:17.380 --> 11:19.200]  other than just time.
[11:19.200 --> 11:22.320]  And then of course there were all the components to my bench.
[11:22.500 --> 11:27.440]  You can buy a Tesla MCU for about $1,700 to $1,000
[11:28.000 --> 11:30.080]  on eBay or some of the other markets.
[11:30.100 --> 11:33.360]  And the BMS is running anywhere between 150 and 300.
[11:33.920 --> 11:36.480]  I wanted to make sure I got a BMS with the shunt.
[11:36.480 --> 11:37.360]  That was a little bit harder.
[11:37.360 --> 11:39.260]  I just happened to get lucky and saw one.
[11:41.240 --> 11:43.980]  But the bench parts, I guess you could consider,
[11:43.980 --> 11:46.380]  were major portions of that all.
[11:46.840 --> 11:49.840]  And then there is a second kit that I bought
[11:49.840 --> 11:53.640]  just to be safe that was actually the exact part number
[11:53.640 --> 11:56.340]  that Tesla used to do the upgrade.
[11:56.340 --> 11:57.980]  So basically people would pay for this kit
[11:57.980 --> 12:00.580]  and it would be part of their whole upgrade package.
[12:00.580 --> 12:01.620]  I bought one of those as well
[12:01.620 --> 12:03.580]  to make sure there wasn't something I was missing.
[12:03.580 --> 12:05.200]  And that was about another $1,000.
[12:05.720 --> 12:08.420]  Can people just go to their local junkyard
[12:08.420 --> 12:12.120]  and pull pieces themselves to create a test bench?
[12:12.120 --> 12:14.380]  And if so, do you think the junkyards
[12:14.380 --> 12:16.360]  really understand the value of this equipment
[12:16.360 --> 12:17.820]  that you're using?
[12:18.760 --> 12:21.820]  Well, so many people are doing weird things with Teslas.
[12:21.820 --> 12:24.760]  So I'm sure they can,
[12:24.760 --> 12:26.400]  but I'm not sure how many junkyards you'll be able to find
[12:26.400 --> 12:28.180]  that actually have Teslas out there.
[12:28.620 --> 12:30.800]  I found the secondary market to be really all,
[12:30.800 --> 12:32.520]  but if you can get one, if you can get to a junkyard
[12:32.520 --> 12:35.580]  and you have one that has an MCU, great.
[12:35.580 --> 12:38.520]  Getting the BMS would be a pain in the...
[12:38.520 --> 12:40.100]  I don't even want to think about it.
[12:40.100 --> 12:42.320]  You basically have to drop the battery pack
[12:42.320 --> 12:45.160]  out of the vehicle to get at that BMS.
[12:45.160 --> 12:47.780]  There's no way to get at it from any other means.
[12:47.780 --> 12:50.020]  So doing that in a junkyard would be problematic.
[12:50.160 --> 12:51.500]  But if you can get that center display
[12:51.500 --> 12:53.740]  and it's not already been snagged,
[12:53.740 --> 12:56.660]  that's the part that you would start with
[12:56.660 --> 12:58.080]  with any test bench,
[12:58.080 --> 13:00.480]  because that's where you learn how to route the card.
[13:00.480 --> 13:02.900]  That's where you learn to do all the changes.
[13:02.900 --> 13:04.540]  That's where the gateway is stored.
[13:04.680 --> 13:07.880]  It really is kind of a central hub of the vehicle.
[13:08.020 --> 13:09.620]  Yes, go ahead, please.
[13:09.620 --> 13:12.740]  I was going to say, I keep hearing you mention the gateway.
[13:13.100 --> 13:16.100]  Like what exactly is the gateway in the car?
[13:16.100 --> 13:17.220]  Can you talk about that?
[13:17.220 --> 13:20.280]  Is it like actually like a network router
[13:20.280 --> 13:21.860]  or is this something else?
[13:21.920 --> 13:24.240]  So it's called the security gateway.
[13:24.840 --> 13:29.140]  It's a function you'll see on newer CAN bus automobiles.
[13:29.530 --> 13:32.620]  It basically is a device that kind of exists like a firewall,
[13:32.620 --> 13:34.400]  but not sort of like a firewall
[13:35.020 --> 13:37.440]  that exists between multiple CAN buses.
[13:37.860 --> 13:39.780]  And in this place, the infotainment unit,
[13:39.780 --> 13:42.060]  the part that actually connects to the internet.
[13:42.060 --> 13:48.060]  So it acts as a ethernet to CAN bus gateway.
[13:48.700 --> 13:51.960]  So the ethernet side is what connects to the central display,
[13:51.960 --> 13:53.700]  connects to the instrument cluster.
[13:53.700 --> 13:55.300]  And then from the central display,
[13:55.300 --> 13:56.560]  there's like the cellular connection,
[13:56.560 --> 13:59.060]  the Wi-Fi connection, a Bluetooth connection,
[13:59.060 --> 14:03.380]  the USB ports, and then has all the logic
[14:03.380 --> 14:05.500]  for how it communicates out on the internet
[14:05.500 --> 14:06.640]  and the rest of it communicates
[14:06.640 --> 14:09.620]  with the rest of the Tesla mothership.
[14:10.260 --> 14:13.220]  But then the gateway also bridges the various CAN buses.
[14:13.220 --> 14:16.260]  So it can take a message from say the powertrain CAN bus
[14:16.780 --> 14:19.720]  and copy it onto either the ethernet CAN bus
[14:19.720 --> 14:22.420]  or the chassis CAN bus.
[14:22.420 --> 14:25.140]  Consequently, it can take messages from those other CAN buses
[14:25.140 --> 14:27.980]  and push them onto the BMS as well.
[14:27.980 --> 14:30.240]  Because sometimes devices that are not on the same bus
[14:30.240 --> 14:31.820]  need to communicate with one another.
[14:32.420 --> 14:34.100]  So when you're requesting the firmware,
[14:34.100 --> 14:35.760]  is it coming directly from the gateway
[14:35.760 --> 14:38.740]  or is the gateway like asking these sub devices
[14:38.740 --> 14:40.760]  to say, hey, send me your firmware?
[14:42.980 --> 14:45.500]  So when, just to clarify your question,
[14:45.500 --> 14:46.980]  are you talking about the firmware file
[14:47.440 --> 14:49.660]  or are you talking about the firmware itself?
[14:49.700 --> 14:50.980]  Well, kind of both.
[14:50.980 --> 14:54.880]  I think you did both in your, throughout your talk.
[14:54.900 --> 14:56.880]  There was one particular place where I noticed
[14:56.880 --> 15:00.660]  that you were issuing a command line to retrieve a file
[15:00.660 --> 15:02.080]  and then you made some changes.
[15:02.080 --> 15:04.820]  I think it was, you even used VIM, which represent,
[15:05.940 --> 15:07.540]  and then you pushed it back.
[15:07.960 --> 15:10.380]  Yeah, so that was all from the CID.
[15:10.380 --> 15:13.580]  So the CID on the vehicle that we're talking about
[15:13.580 --> 15:16.180]  is a NVIDIA Tegra running Ubuntu.
[15:18.580 --> 15:21.540]  And so it's basically, it's an ARM version of Ubuntu.
[15:21.680 --> 15:25.040]  All the firmware for all the modules of the vehicle
[15:25.820 --> 15:28.260]  sit within that firmware image.
[15:28.260 --> 15:30.880]  And then when people talk about how their Tesla gets updates,
[15:30.880 --> 15:33.960]  it has all new firmware and it pushes out firmware updates
[15:33.960 --> 15:35.840]  to all the various modules that need it.
[15:36.020 --> 15:38.200]  Some module way over here may not need an update
[15:38.200 --> 15:39.500]  so it may not get updated,
[15:39.500 --> 15:41.240]  but that's part of what the gateway
[15:41.240 --> 15:45.480]  and the main system do when they do an update.
[15:45.800 --> 15:49.020]  The gateway itself does store a few files,
[15:49.020 --> 15:52.000]  but it doesn't store a copy of the entire vehicle's firmware.
[15:52.000 --> 15:54.020]  The entire vehicle's firmware is stored
[15:54.020 --> 15:55.680]  on the central display,
[15:55.680 --> 15:57.900]  you know, on that Tegra-based Ubuntu system
[15:57.900 --> 16:00.260]  on that little eMMC chip.
[16:00.540 --> 16:03.380]  That's the same eMMC that people complain about wearing out
[16:03.380 --> 16:04.920]  because of all the logging that's going on,
[16:04.920 --> 16:09.920]  but the image itself has that entire copy of the firmware.
[16:09.920 --> 16:14.140]  The gateway only has things like the firmware.rc file,
[16:14.140 --> 16:17.360]  the internal.dat file, and a few others,
[16:17.360 --> 16:20.700]  layers like hwids.ecq,
[16:21.140 --> 16:23.100]  which is all the hardware IDs of the vehicle,
[16:23.100 --> 16:24.720]  and it gets that from the CAN bus.
[16:24.720 --> 16:27.600]  So the gateway does queries during an upgrade,
[16:27.600 --> 16:32.580]  but there are also some crash files
[16:32.580 --> 16:33.580]  that are stored on the gateway
[16:33.580 --> 16:35.660]  because it's easier for it to store on the gateway.
[16:35.660 --> 16:36.820]  I don't know why it does that,
[16:36.820 --> 16:39.460]  but some of the crash files are stored there as well
[16:39.460 --> 16:42.020]  because I saw on my bench system
[16:42.020 --> 16:45.700]  some images right before the vehicle was crashed.
[16:46.740 --> 16:48.540]  Okay, so when you say crash,
[16:48.540 --> 16:49.900]  it's not like software crashing,
[16:49.900 --> 16:53.080]  it's like black box from the actual crash.
[16:53.080 --> 16:57.680]  Yeah, I think there's another actual black box device,
[16:57.680 --> 17:00.260]  but the gateway stores quite a bit of that.
[17:00.340 --> 17:02.280]  I'm not going to pretend to understand
[17:02.280 --> 17:05.840]  how the whole emergency data recorder function
[17:05.840 --> 17:08.040]  of the vehicle works, but it's there.
[17:08.040 --> 17:09.720]  Some of the files are on the gateway.
[17:09.720 --> 17:13.200]  Yeah, that might be an interesting future talk for someone,
[17:13.200 --> 17:16.760]  just reversing the black box of Tesla.
[17:19.340 --> 17:23.440]  So you also do a lot of stuff with the Car Hacking Village.
[17:23.440 --> 17:25.900]  Is there anything interesting going on
[17:25.900 --> 17:28.960]  that you want to sort of announce while you're here
[17:28.960 --> 17:31.800]  to get people to come and show up in the Car Hacking Village?
[17:33.180 --> 17:34.620]  Anything like that?
[17:34.620 --> 17:36.620]  Your question broke up right at the point
[17:36.620 --> 17:38.340]  where you asked the critical part,
[17:38.340 --> 17:39.540]  so do you mind repeating it?
[17:39.540 --> 17:40.380]  Oh, yeah, sorry, sorry.
[17:40.380 --> 17:43.800]  So you're very active in the Car Hacking Village.
[17:43.820 --> 17:46.480]  Is there anything like interesting going on,
[17:46.480 --> 17:48.520]  like maybe Tesla related or related to your talk
[17:48.520 --> 17:51.780]  that you're going to continue working on,
[17:51.780 --> 17:53.660]  something that you want to like pimp out?
[17:54.020 --> 17:58.280]  So tomorrow at 10 o'clock,
[17:58.280 --> 18:00.180]  I've got a deep dive into many of the techniques
[18:00.180 --> 18:01.400]  that I covered in the main doc.
[18:01.740 --> 18:04.280]  And that's basically because, you know,
[18:04.280 --> 18:06.540]  due to the whole change in the online format,
[18:07.100 --> 18:08.800]  some of the stuff got cut off to the talk.
[18:08.800 --> 18:13.200]  So I have some of the stuff that was cut from my talk itself,
[18:13.200 --> 18:16.040]  but then I also expanded on some additional topics
[18:16.040 --> 18:19.820]  as well. So I go into some of the binary analysis.
[18:19.820 --> 18:22.880]  I load up the firmware inside IDA.
[18:23.340 --> 18:26.940]  I don't get very far, but I show that I was able to load it in IDA.
[18:28.000 --> 18:32.380]  I do some of the like live UDS techniques,
[18:32.380 --> 18:36.240]  you know, the security access as well as the shunt calibration.
[18:36.660 --> 18:39.640]  And then it's just another brief overview.
[18:39.640 --> 18:42.580]  So it's like three different things that I'm kind of talking about.
[18:42.580 --> 18:45.180]  And then, you know, there's some canned BBC stuff as well.
[18:45.180 --> 18:49.820]  Other than like the setting up a bench itself,
[18:49.820 --> 18:53.580]  is there any particular like software that or tools that people are required
[18:53.580 --> 18:59.540]  to do this kind of like investigation and playgrounds work with car hacking?
[18:59.800 --> 19:04.160]  So I was using a not free tool called Vehicle Spy,
[19:04.160 --> 19:06.620]  only because it was very powerful and made it a lot easier.
[19:07.540 --> 19:11.260]  Canned utils and some of the other stuff out there pretty much
[19:11.760 --> 19:14.420]  make it possible to do whatever you want to out there.
[19:14.420 --> 19:16.540]  There are a ton of CAN bus interfaces out there.
[19:16.540 --> 19:18.020]  One of my favorites is the Panda.
[19:18.040 --> 19:21.320]  So for this, I'm going to give a shout out to the Commodite AI folks
[19:21.320 --> 19:24.980]  for actually making such an awesome CAN bus interface.
[19:25.980 --> 19:30.840]  Commodite AI is a open source self-driving tool
[19:30.840 --> 19:33.800]  that I'll just let people go out and check it out on their own.
[19:33.800 --> 19:35.620]  But they also they make a tool called the Panda.
[19:35.740 --> 19:37.020]  Works really well with the Tesla.
[19:37.020 --> 19:39.160]  It can connect to three CAN buses at once.
[19:39.780 --> 19:43.680]  A lot of people that have done hacking on the Tesla use that.
[19:43.680 --> 19:45.340]  I'm very impressed with it.
[19:45.340 --> 19:48.640]  It's a very inexpensive tool that'll give you a physical interface.
[19:48.780 --> 19:51.600]  And from that, you can connect over Wi-Fi or USB.
[19:52.040 --> 19:57.060]  And from there, directly start messing around with Linux tools that are all free.
[19:57.060 --> 19:59.000]  And those are all in CAN utils.
[19:59.660 --> 20:00.520]  That's cool.
[20:00.700 --> 20:03.960]  What's been Tesla's reaction to the kind of work
[20:03.960 --> 20:07.780]  that you've been doing to get your car to ludicrous speed?
[20:07.860 --> 20:11.020]  Yeah, so when this talk was accepted,
[20:11.020 --> 20:15.500]  I actually reached out several times and Tesla was very supportive.
[20:15.500 --> 20:20.020]  They actually just asked to review the slides to make sure there weren't any surprises.
[20:20.020 --> 20:22.500]  I kind of told them, hey, I'm going to talk about this, this and this.
[20:22.500 --> 20:24.360]  And they said, yeah, just do us a favor.
[20:24.360 --> 20:27.420]  Send us a copy of your slides, white paper, et cetera.
[20:27.440 --> 20:29.820]  So we'll make sure there aren't any gotchas in there.
[20:29.820 --> 20:31.680]  And they said, yep, everything looks good.
[20:31.680 --> 20:32.800]  You're good to go.
[20:32.980 --> 20:34.360]  So very supportive.
[20:34.560 --> 20:38.800]  They actually have a program called the Security Vehicle Research Program
[20:38.800 --> 20:40.460]  in addition to their bug mounting.
[20:40.460 --> 20:46.220]  So a vehicle that you're interested in doing security research on can be registered with them
[20:46.220 --> 20:48.580]  and you won't violate any warranties.
[20:48.580 --> 20:51.580]  So basically, and supposedly, I haven't tried this.
[20:51.580 --> 20:54.600]  They'll even help you with with some bricking situations.
[20:55.240 --> 21:00.600]  Didn't need their help on this one, fortunately, but they do do some of the other stuff.
[21:00.860 --> 21:03.640]  Sorry, excuse me. I've got a really annoying thing going on.
[21:03.660 --> 21:04.780]  There we go.
[21:05.620 --> 21:07.580]  Sorry for anyone that was on the stream.
[21:07.580 --> 21:11.700]  I'm just constantly getting calendar alerts for the next things that I'm responsible for.
[21:12.140 --> 21:19.620]  Are there any other things that you're aware of in a Tesla that you could possibly try to unlock or bypass
[21:19.620 --> 21:26.720]  or anything else that either you want to look into or you think that other people might want to look into to build upon your research?
[21:28.800 --> 21:30.680]  I'd have to think about that one for a bit.
[21:30.680 --> 21:36.320]  Yeah, there are some things I would like to see where the actual limits are in the BMS.
[21:36.320 --> 21:43.880]  I would like to understand those, but I don't really have a desire to push past them because you're starting to get into dangerous territory at that point.
[21:43.940 --> 21:45.580]  I just want to find where they are.
[21:45.580 --> 21:49.400]  So it's like, all right, here's the variable that actually controls max power.
[21:49.400 --> 22:00.340]  Here's the power curve that's basically defined state of charge, battery temperature and how much power is available for the various drive inverters and the battery itself.
[22:01.020 --> 22:02.760]  I'd like to find those.
[22:02.760 --> 22:05.720]  Hence the additional IDA stuff.
[22:06.040 --> 22:13.940]  And then just more or less actually get more underneath the hood of how the battery management itself and the drive inverters work.
[22:13.940 --> 22:23.960]  The drive inverters are not something that I actually have hardware on a bench for, but because they're very expensive, the whole drive inverter is inside the drive unit.
[22:23.960 --> 22:30.820]  The drive unit is a multi-thousand dollar piece of equipment, but yeah, that's where I would like to go from there.
[22:30.820 --> 22:37.040]  I want to see where the steps are for the P90D and the P100D because those cars are faster.
[22:38.120 --> 22:50.480]  So we did get a really good question that was, for those not familiar with the whole gateway CAN bus stuff, would the car be able to phone home after you've made the ludicrous speed modification?
[22:51.140 --> 23:02.000]  Yeah, so the vehicle within its firmware itself has a function where actually it uploads the config to Tesla on a regular basis.
[23:02.060 --> 23:05.680]  I think it's like vitals.json and puts it in JSON format.
[23:05.680 --> 23:15.660]  So basically they take the vehicle's config and whenever, I think it's when the car goes to sleep, it actually uploads that information to Tesla.
[23:15.660 --> 23:29.360]  So anytime someone makes a change that wasn't done by someone else, or I'm sure even when the service center makes a change, that is going to be seen on Tesla's end, unless of course you figure out a way around that.
[23:30.760 --> 23:37.720]  I imagine that you're probably no longer under warranty as soon as you root the front panel or something like that.
[23:37.720 --> 23:46.800]  Um, you know, Magnuson Moss Act protects a lot of stuff. So, but I'm not a lawyer, so I'm not even going to go there and try and figure it out.
[23:47.300 --> 23:54.420]  But, you know, it's like, if you root the center display, and you have a problem with your brakes, how are the two related?
[23:55.620 --> 23:56.600]  You know?
[23:56.600 --> 23:57.560]  Yeah, fair.
[23:57.640 --> 24:04.500]  But if you if you root your center display, and you break your center display, it's a totally different situation, right?
[24:04.500 --> 24:08.320]  That's all a great legal area that I'm not even going to dare go.
[24:09.300 --> 24:19.240]  And to follow up on that question, if Tesla does get made aware of this bypass that you put into place, could they then reverse it and remove it from you?
[24:20.100 --> 24:32.880]  I'm sure they have. I mean, there are stories out there about how people had a ludicrous speed vehicle, and then after they purchased it, it was removed because Tesla said they audited it and found out that it shouldn't have had it and removed it.
[24:33.640 --> 24:44.680]  And then of course, the person who bought the vehicle was pretty pissed off. So don't know what the resolution on that was. But that's also there's there's a huge amount of controversy around the whole supercharging thing.
[24:44.680 --> 24:51.140]  So if you buy a salvage Tesla, it has supercharging disabled.
[24:52.380 --> 24:57.680]  Tesla does that it's you know, their prerogatives, their supercharger network, but it makes it very difficult to go on trips.
[24:57.720 --> 25:02.740]  And people figured out using the same techniques that I'm talking about here on how to re enable that again.
[25:03.520 --> 25:12.060]  And then there was a thing that came out recently, which basically says, you know, you're opening yourselves up to getting sued by us because you're basically getting something that you shouldn't be.
[25:13.040 --> 25:22.020]  My only suggestion for Tesla is like, why not verify the safety of it and then only enable it to where they have to pay for it is now you've got a source of revenue, but
[25:22.660 --> 25:32.060]  That was that was going to be my next question, because I know that the after a certain point, they stopped allowing superchargers to be free for Tesla's.
[25:32.060 --> 25:36.020]  But it sounds like it's completely disabled on these on salvage vehicles.
[25:36.020 --> 25:42.920]  It's disabled. The the way I understand it is if the vehicle has free supercharging, it has free supercharging.
[25:42.940 --> 25:46.500]  But as soon as the vehicle sold back to Tesla, it's lost.
[25:47.400 --> 25:55.440]  This particular vehicle has free supercharging because it was purchased with free supercharging, so it should always have that.
[25:55.440 --> 25:59.000]  But, you know, as I understand, they haven't taken it away from anywhere.
[25:59.000 --> 26:06.620]  They said, you know, this vehicle will have free supercharging for life unless it has been in an accident and been totaled out by an insurance company.
[26:07.940 --> 26:13.520]  So it wasn't just like Tesla purchasing it back and then reselling it with it disabled or something like that.
[26:14.740 --> 26:17.900]  It's like, you know, people trade in their cars, people trade in their Tesla's.
[26:17.900 --> 26:20.260]  I think when they sell them out again, they don't have free supercharging.
[26:20.260 --> 26:20.840]  I don't know.
[26:21.000 --> 26:21.980]  That makes sense.
[26:21.980 --> 26:23.260]  I don't keep track of their money.
[26:24.180 --> 26:25.260]  I didn't know.
[26:25.260 --> 26:28.940]  It seems like a really kind of sketchy area.
[26:28.940 --> 26:31.760]  So any kind of details that I can pull out of you?
[26:32.180 --> 26:33.360]  Yeah, their frog is.
[26:33.500 --> 26:34.000]  Yeah.
[26:34.120 --> 26:42.100]  So it seems as though with where electric cars are going now, that this is going to be a really great area of research.
[26:42.100 --> 26:48.220]  And what kind of advice would you give to people that want to get started with car hacking research?
[26:48.220 --> 26:51.440]  Like if somebody wants to start from the ground up, what sorts of things could they do?
[26:51.440 --> 26:52.700]  Where should they start looking?
[26:53.400 --> 26:54.620]  Start learning CAN bus.
[26:54.620 --> 26:57.420]  That seems to be where a lot of it gets from there.
[26:57.420 --> 27:03.860]  Learn UDS and from there, learn about like binary reversing and just reverse engineering in general.
[27:03.940 --> 27:11.240]  Go to a junkyard, find a car that you find interesting, verify, you know, it has CAN bus and start ripping modules out.
[27:11.240 --> 27:19.120]  We did something with our company called a junkyard hackathon where a bunch of us went out and just ripped apart various vehicles.
[27:19.120 --> 27:20.260]  Craig Smith helped us.
[27:20.260 --> 27:22.680]  He's the writer, you know, the car hackers handbook.
[27:22.740 --> 27:25.620]  And we got like several vehicles worth of modules.
[27:25.620 --> 27:33.060]  Even if you just get one module, take it apart, figure out what CPU it has, you know, learn how to hardware hack it.
[27:33.100 --> 27:34.900]  And from there, have fun.
[27:35.500 --> 27:41.160]  Yeah, I thought I've seen in some of the videos with people hacking on electric cars.
[27:42.260 --> 27:50.360]  Maybe I'm remembering this wrong, but is there any risk to a car sitting in a junkyard still holding any kind of electrical charge that people should be aware of?
[27:51.200 --> 27:55.120]  Yeah, because high voltage is high voltage, it'll hurt you either way.
[27:55.400 --> 27:58.500]  I personally have never been to a junkyard where I've seen electric cars.
[27:58.500 --> 28:04.380]  I've only seen the salvage yards where they're like the warranty auction places.
[28:04.380 --> 28:06.020]  And you see those online.
[28:06.360 --> 28:10.540]  But the actual junkyards themselves, I don't think I've ever seen an electric vehicle in the junkyard.
[28:10.640 --> 28:15.940]  Even a hybrid would be dangerous, though, because the hybrid still has high voltage because it has an electric motor.
[28:21.420 --> 28:24.060]  We got one question, and it's kind of more like...
[28:25.900 --> 28:31.020]  Hawkeye is wondering if Tesla's have a problem with shutting down if their error messages reach a critical amount of storage space.
[28:31.020 --> 28:36.120]  I'm guessing that has to do with the EMMC logging thing or...
[28:37.360 --> 28:39.840]  I've never seen one run out of storage space.
[28:39.840 --> 28:42.680]  It's just the volume of logging.
[28:42.820 --> 28:45.360]  And I believe at a certain point it overwrites itself.
[28:45.360 --> 28:52.980]  But just it's the volume of constantly writing to the EMMC that wears it down, not for the device storage actually filling up.
[28:53.840 --> 28:56.940]  And it's unfortunate because it's like a $20 part.
[28:56.940 --> 29:03.900]  The EMMC module itself on that Jaguar is a very inexpensive part, but it's a $2,000 repair if you take it to a service center.
[29:05.200 --> 29:05.980]  Excellent.
[29:07.120 --> 29:14.180]  So as we start wrapping this up, what sorts of takeaways do you want people to have from your presentation?
[29:14.180 --> 29:16.820]  And what would be your call to action?
[29:16.820 --> 29:23.260]  Or what would you like to see come about based on your research and your presentation that you've put out there?
[29:23.980 --> 29:35.160]  Well, I'd love for someday for Tesla owners to be able to work on their own vehicles, for there to be like a consumer version of the tools that are used to work on and diagnose the vehicles.
[29:35.160 --> 29:41.240]  Because right now, you just have to take it to the garage and pay the service center to do that.
[29:41.240 --> 29:44.580]  I can understand why the high voltage components, why you want to do that.
[29:44.580 --> 29:49.920]  But as these cars age and continue to be out there in the fleet, there needs to be another method.
[29:50.520 --> 29:54.560]  You know, in addition to that, just this is kind of like the next version of hot rodding.
[29:55.540 --> 29:57.180]  People are going to figure this out.
[29:57.500 --> 30:00.720]  Now that, you know, kind of electric cars are becoming more and more mainstream.
[30:01.520 --> 30:04.600]  There are going to be people that want to buy them and make them faster.
[30:04.600 --> 30:14.940]  And you can make them faster by either lightening them or you make them faster by, you know, tweaking what's under the hood, just like you would on a, you know, standard internal combustion engine.
[30:14.940 --> 30:18.020]  So this is kind of like the next phase of where that's going to go.
[30:18.380 --> 30:20.420]  Awesome. Thank you so much for doing this.
[30:20.420 --> 30:26.720]  Thanks so much for your presentation that people can go see on the YouTube with the DEF CON channel.
[30:26.720 --> 30:28.220]  So thanks for doing this, Patrick.
[30:28.220 --> 30:30.840]  Really enjoyed you discussing this with us.
[30:31.520 --> 30:32.340]  All right. Thank you.
